Date: Mon, 30 Aug 2021 23:13:16 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: dd9f588238e3 - stable/13 - ktls: Don't mark existing received mbufs notready for TOE TLS. Message-ID: <202108302313.17UNDG7V076577@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=dd9f588238e35e6887eeaa10f10e2be9666ed60d commit dd9f588238e35e6887eeaa10f10e2be9666ed60d Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-06-15 17:36:57 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-08-30 22:09:50 +0000 ktls: Don't mark existing received mbufs notready for TOE TLS. The TOE driver might receive decrypted TLS records that are enqueued to the socket buffer after ktls_try_toe() returns and before ktls_enable_rx() locks the receive buffer to call sb_mark_notready(). In that case, sb_mark_notready() would incorrectly treat the decrypted TLS record as an encrypted record and schedule it for decryption. This always resulted in the connection being dropped as the data in the control message did not look like a valid TLS header. To fix, don't try to handle software decryption of existing buffers in the socket buffer for TOE TLS in ktls_enable_rx(). If a TOE TLS driver needs to decrypt existing data in the socket buffer, the driver will need to manage that in its tod_alloc_tls_session method. Sponsored by: Chelsio Communications (cherry picked from commit faf0224ff27b93b743d50b3830bf5ce345b67e94) --- sys/kern/uipc_ktls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 0f5cc7c1b28f..21e2386ac2bf 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -1043,8 +1043,10 @@ ktls_enable_rx(struct socket *so, struct tls_enable *en) so->so_rcv.sb_flags |= SB_TLS_RX; /* Mark existing data as not ready until it can be decrypted. */ - sb_mark_notready(&so->so_rcv); - ktls_check_rx(&so->so_rcv); + if (tls->mode != TCP_TLS_MODE_TOE) { + sb_mark_notready(&so->so_rcv); + ktls_check_rx(&so->so_rcv); + } SOCKBUF_UNLOCK(&so->so_rcv); counter_u64_add(ktls_offload_total, 1);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108302313.17UNDG7V076577>